CyberWire Daily - When updates attack.
Episode Date: August 7, 2024Crowdstrike releases a postmortem. LoanDepot puts a multimillion dollar price tag on their ransomware incident. RHADAMANTHYS info stealer targets Israelis. Zola ransomware is an advanced evolution of ...the Proton family. Firefox fixes several high-severity vulnerabilities. Researchers at Certitude uncover a vulnerability in Microsoft 365’s anti-phishing measures. Threat actors exploit legitimate anti-virus software for malicious purposes. Samsung’s new bug bounty program offers rewards up to a million dollars. Guest Adam Marré, CISO at Arctic Wolf, joining us to share his observations on the ground at Black Hat USA 2024. Ransomware gangs turn the screws and keep up with the times. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Guest Adam Marré, CISO at Arctic Wolf, joining us to share his observations as our man on the street from Black Hat USA 2024. Selected Reading CrowdStrike Publishes Technical Root Cause Analysis of Faulty Falcon Update (Cyber Security News) Ransomware Attack Cost LoanDepot $27 Million (SecurityWeek) RHADAMANTHYS Stealer Weaponizing RAR Archive To Steal Login Credentials (Cyber Security News) New Zola Ransomware Using Multiple Tools to Disable Windows Defender (GB Hackers) Firefox Patches Multiple High Severity Vulnerabilities (Cyber Security News) Exploring Anti-Phishing Measures in Microsoft 365 (Certitude Blog) Hackers Hijack Anti-Virus Software Using SbaProxy Hacking Tool (Cyber Security News) Samsung to pay $1,000,000 for RCEs on Galaxy’s secure vault (Bleeping Computer) Turning the screws: The pressure tactics of ransomware gangs (Sophos News) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
CrowdStrike releases a post-mortem.
Loan Depot puts a multi-million dollar price tag on their ransomware incident.
Radamanthus Infostealer targets Israelis.
Zola ransomware is an advanced evolution of the Proton family.
Firefox fixes several high-severity vulnerabilities.
Researchers at Certitude uncover a vulnerability in Microsoft 365's anti-phishing measures.
Threat actors expose legitimate antivirus software for malicious purposes.
Samsung's new bug bounty program offers rewards up to a million dollars.
Our guest is Adam Marais, CISO at Arctic Wolf,
joining us to share his observations on the ground at Black Hat USA 2024.
And ransomware gangs turn the screws and keep up with the times.
It's Wednesday, August 7th, 2024. I'm Dave Bittner, and this is your CyberWire Intel Briefing.
Thanks for joining us here today. As always, it is great to have you with us.
CrowdStrike has released a detailed
analysis of the Falcon sensor update issue that occurred on July 19th, causing system crashes for
millions of Windows users. The problem stemmed from a mismatch between the expected input fields
for the sensor's content interpreter and those provided by a new template type introduced in February.
Specifically, the IPC template type required 21 input fields, but the sensor only supplied 20,
a discrepancy missed during development due to the use of wildcard matching criteria.
The issue was triggered when a non-wildcard Criterion was deployed,
causing an out-of-bounds memory read and resulting in crashes.
CrowdStrike's report outlines several mitigations, including implementing compile-time validation,
adding runtime checks, expanding testing, correcting logic errors, and introducing stage deployments. They're also providing
customers with control over updates. As of July 29th, 99% of Windows-affected systems were back
online, with a hotfix expected by August 9th. Two independent reviews of the Falcon sensor code
have been commissioned by CrowdStrike.
Loan Depot reported nearly $27 million in costs from a ransomware attack disclosed in January.
The breach potentially compromised personal details of over 16 million individuals,
including social security and financial account numbers.
Expenses include investigation, remediation,
customer notifications, identity protection,
legal fees, and litigation settlements.
A $25 million accrual was recorded for class action litigation related to the incident.
The Alpha Black Cat ransomware group claimed responsibility.
A new cyber campaign has emerged targeting Israeli users,
showcasing the Radamanthus information stealer, a sophisticated malware developed by Russian-speaking
cybercriminals. Offered as malware as a service, Radamanthus is adept at data exfiltration,
employing an intricate infection chain. The attack uses social engineering tactics,
sending Hebrew phishing emails impersonating notifications from Calculus and Mako. These
emails exploit urgency and fear by falsely alleging copyright infringement, prompting users
to act quickly. The emails include a locked RAR archive containing a suspicious executable
named copyright-infringing-images.exe in Hebrew. Once executed, Radamanthus employs anti-analysis
tactics to avoid detection and injects code into legitimate Windows processes, persisting through
registry modifications. It steals credentials, browsing
history, cryptocurrency info, and system details, communicating with its C2 server over HTTPS.
The malware also acts as a downloader for additional payloads.
Zola ransomware is the latest evolution of the Proton family, first appearing in March of 2023.
Discovered by Acronis researchers, Zola uses advanced techniques to disable Windows Defender
and employs various hacking tools for privilege escalation, network reconnaissance, and credential theft.
It distinguishes itself with features like a single mutex to prevent simultaneous execution,
administrative rights verification, and a Persian language-based kill switch.
Zola's preparation includes generating victim IDs, modifying registry values,
disabling recovery options, and killing 137 processes and 79 services to remove security measures.
The ransomware employs the ChaCha20 algorithm for encryption and uses Crypto++ for cryptographic
functions, while falsely claiming AES and ECC encryption in ransom notes.
An anti-forensics measure fills the disk with uninitialized data to hinder recovery
and forensic analysis. Zola is available in x86 and x64 versions, targeting a wide range of systems
and retaining much of Proton's core functionality. Future variants are expected to continue this
pattern of rebranding. Mozilla has released Firefox 129,
addressing several high-severity vulnerabilities to enhance browser security.
The update fixes critical issues like out-of-bounds memory access and graphics handling,
which could lead to memory corruption and sandbox escapes.
Other vulnerabilities include obscuring full-screen notification dialogues,
incomplete WebAssembly exception handling,
and use-after-free in JavaScript and IndexedDB.
These flaws post risks of spoofing,
unauthorized data access, and memory corruption.
Mozilla advises users to update Firefox immediately
to ensure a safer browsing experience.
Researchers at Certitude recently uncovered a vulnerability in Microsoft 365's anti-phishing measures.
They discovered a way to bypass the first contact safety tip,
a feature that alerts Outlook users when they receive an email from an unfamiliar sender.
This alert is inserted into the email's HTML body, but attackers can manipulate its appearance using CSS.
By changing the background and font colors to white, the warning becomes invisible to the user. The team at Certitude demonstrated how attackers could further exploit this
vulnerability by spoofing the icons that indicate encrypted and signed emails. By altering the HTML
code and using Unicode characters to prevent Outlook from recognizing email addresses,
they made phishing attempts appear legitimate. Despite Certitude's proof of concept and advisories submitted through the
Microsoft Researcher Portal, Microsoft chose not to address the issue. Researchers at Level Blue
Labs have identified a new tactic used by threat actors to exploit legitimate antivirus software
for malicious purposes. The attack uses a tool called SBA Proxy,
which disguises itself as a legitimate antivirus component
to establish proxy connections via command and control server.
SBA Proxy is distributed in various formats,
such as DLLs, EXEs, and PowerShell scripts,
and can easily evade detection due to its legitimate appearance
and valid certificates. The attackers modify antivirus binaries like those from Malwarebytes
and Bitdefender, maintaining their benign appearance. Malicious binaries signed with
valid certificates bypass security checks, making detection challenging. Level Blue Labs discovered that these binaries execute XOR-encrypted shellcode
and establish CNC communication by hijacking antivirus functions.
The lab developed detection methods, including Suricata IDS signatures,
to identify this threat, with indicators of compromise available.
this threat, with indicators of compromise available.
Samsung has launched the Important Scenario Vulnerability Program, ISVP, a new bug bounty initiative for its mobile devices, offering rewards of up to $1 million for critical vulnerabilities.
The program focuses on issues like arbitrary code execution, device unlocking, data extraction, and bypassing protections.
Device Unlocks with full data extraction can earn $400,000.
The program aims to improve security by incentivizing reports of significant vulnerabilities.
Samsung says they've paid over $800,000 in 2023,
Samsung says they've paid over $800,000 in 2023, and they aim to surpass previous records with ISVP.
Since 2017, Samsung has awarded nearly $5 million in bug bounties. Coming up after the break, Adam Marais from Arctic Wolf joins us to share his observations from Black Hat USA.
Stay with us. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now a message from Black Cloak. Did you
know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families
at home. Black Cloak's award-winning digital executive protection platform secures their
personal devices, home networks, and connected lives. Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
It is always my pleasure to welcome back to the show Adam Marais.
He is Chief Information Security Officer at Arctic Wolf. And today he is joining us live from the Black Hat Conference in beautiful, warm Las Vegas. Adam, thanks for taking the time for us today.
Yes, coming to you live from the blast furnace here in Vegas. It is 111 degrees or will be today, so it's great to be here.
Yeah, well, thanks for joining us. And before we begin, for folks who aren't familiar with
Black Hat or have never had the privilege of going to attend that conference, can you kind
of compare and contrast it to some of the other shows? I mean, how is it different from the RSA
conference? And what is it about it that makes it worth your time?
Yeah, it's a great question.
Well, we lovingly refer to this time in Vegas
as Hacker Summer Camp
because combined with Vegas B-Sides and DEF CON,
it's really a conference where people talk a lot more
in depth about the technology,
about different vulnerabilities, how they can be exploited, and things really of that nature, which is a little bit different than RSA, which has come to be a little bit more of a vendor or business conference, which is also great and has its own strengths.
But it's really fun to come here, especially for us practitioners to talk about things in know, things in security operation centers,
pen testers, hackers, all of that,
and to get together.
And there's even a lot of hands-on classes that happen in the various conferences
so people can up-level their skills
and get a chance to see
some really interesting cutting-edge things.
What's your sense of the overall spirit of folks
as they're coming into this conference here? Are people in a good mood or what's your sense of the overall spirit of folks as they're coming into this conference here?
Are people in a good mood or what's your take?
Well, the feeling is always exciting when you come here because a lot like summer camp,
you get to see colleagues you haven't seen in a long time and catch up with people.
I saw a gentleman I haven't seen in two and a half years and we got to catch up for a minute.
So there's all of that.
So there's generally a lot of excitement in that way.
But also this year, there's so many things happening, especially right now, right before
and during this conference that there is a high level of excitement.
And, you know, I think people are looking forward to a lot of the talks to talk about
things like election security and AI and all of that.
And I'm sure we'll get into that.
to talk about things like election security and AI and all of that.
And I'm sure we'll get into that.
But that's what the vibe is for me around.
It's just, it feels very exciting here.
You know, one of the challenges that folks face with a conference like this is time management. There's always so much you want to see, but only so much time.
How do you approach that?
How do you prioritize the things
that you're going to be able to spend your time on?
Yeah, it's a really great question,
especially for security leaders and executives
trying to balance meeting with customers,
meeting with various vendors, the media,
but then also being at the conference
and attending the sessions
and some of the closed-door sessions that they have in association at the conference and attending the sessions and some of the closed
door sessions that they have in association with the conference. So it's always a balancing
act. I like to get the pass where I also get the digital version so I can watch some of the shows
or some of the talks that I might miss later. And then really just have to prioritize what's
most important to me at the time. Sometimes it's more important to be out there talking with various vendors and potential and current customers.
And sometimes it's more important to really sit down and digest and get as much I can out of the conference live as possible.
So it really depends on the year and it depends on the person and what your focus is.
What are the hot topics that you're seeing heading into this year's Black Hat?
I mean, is AI still at the top of everybody's list?
Yes, it is.
But it's interesting right now, the keynote that's going on, I'll be stepping into as soon as I'm done talking to you, is all about election security.
Jan Easterly from CESA is here and talking about, you know, the security situation that everyone faces around the world.
There are elections around the world this year, not just this big one in the United States. And so I'm really interested to hear what the latest is on that.
You know, according to our own research at Arctic Wolf, we know that so many municipalities and districts are woefully unprepared or feel like
they're woefully unprepared for this. So that's something really interesting. And it really does
blend into the AI discussion because I'm looking forward to a lot of the talks about how, you know,
white hat hackers and researchers are looking into making the LLMs that are so ubiquitous out
there now that people are using those tools,
using those to do things that maybe they weren't intended for and getting them to
spit out information that maybe they shouldn't. I'm also interested to hear about the spread of
misinformation that these AI tools are using and that in conjunction with the elections.
So election security is kind of going throughout the conference.
And of course, it wouldn't be a conference today without a major focus on AI.
So as I said, I'm really interested in hearing the talks about that.
And also, I think I see a surprising number of sessions this year on how AI is being used by teams to improve their cybersecurity
and improve their security operations
and vulnerability management programs.
So I'm interested to hear how some of the top-level teams
and organizations are using AI in that way.
Yeah, it strikes me that being there,
being able to have those one-on-one
or even group conversations with other people,
being in the same room, really gives you the opportunity to kind of cut through a lot of the hype that we see with technologies like AI and get to the ground truth of how this can really benefit your organization.
Absolutely.
And I do feel like there's a feeling of openness at Black Hat that you don't maybe get at some of the other conferences and DEF CON.
And where, especially in those hallway conversations or pulling somebody into a room, you really get to talk with them about what's really going on with their teams, what's really going on with their organization.
And another big theme I'm hearing, maybe not so much in the session titles and things like that, but people are talking about is resilience.
And resilience in the face of any kind of tech outage or cybersecurity incident,
and really being able to get your organization back on its feet quickly. In fact, I was able
to talk with Dmitry Alperovitch last night. He wrote a great book called World on the Brink
about the rising threat of China. But one of the things I asked him was, you know, what can organizations do today? And the big thing
he said was resilience. Learn how to be able to recover quickly from any kind of outage. And that
can really help you be set up, you know, to exist in this world with all the threats and all the
things that we are facing as an organization. And I've heard that from a lot of people this week.
that we are facing as an organization.
And I've heard that from a lot of people this week.
Adam Marais is CISO at Arctic Wolf.
He's joining us from the Black Hat Conference.
Adam, thanks so much for taking the time for us.
It's my pleasure. Thank you. worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization
runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant. And finally, updated research from Sophos shows that ransomware gangs
are increasingly sophisticated in their tactics, adapting over time to exert more pressure on their victims. Initially, in 2021,
tactics included threats to publish stolen data, contacting employees, and alerting media outlets.
These methods are still in use, but recent developments show that threat actors have
become more creative and aggressive. They now exploit legitimate entities such as the media, legislation,
and law enforcement to apply pressure on victims. This includes encouraging affected customers and
employees to sue the victim organizations and using stolen data to highlight potential legal
or regulatory violations. Ransomware groups such as Alpha Black Cat have even filed official complaints
with regulatory bodies like the SEC, accusing victims of non-compliance. Other groups assess
stolen data for evidence of wrongdoing to use as leverage. In some cases, ransomware operators
publicly shame their victims, portraying themselves as vigilantes while targeting individuals with
reputational damage by revealing personal or embarrassing information. Tactics also include
leaking highly sensitive information, such as medical records and private images, to further
intimidate victims. The evolution of these tactics reflects a broader willingness to exploit any means available to coerce payment and damage reputations.
As ransomware groups grow more audacious, the threat landscape becomes more perilous,
necessitating heightened vigilance and robust defenses from potential targets.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review
in your favorite podcast app.
Please also fill out the survey in the show notes
or send an email to cyberwire at n2k.com.
We're privileged that N2K Cyber Wire
is part of the daily routine
of the most influential leaders and operators
in the public and private sector,
from the Fortune 500 to many of the world's
preeminent intelligence and law enforcement agencies. Thank you. This episode was produced by Liz Stokes. Our mixer is Trey Hester, with original music and sound design by Elliot Peltzman.
Our executive producer is Jennifer Iben.
Our executive editor is Brandon Karp.
Simone Petrella is our president.
Peter Kilby is our publisher.
And I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, Thank you.